Tag Archive for: compromises

Androxgh0st Malware Compromises Servers Worldwide for Botnet Attack

/in


Veriti Research has discovered a surge in attacks from operators of the Androxgh0st malware family, uncovering over 600 servers compromised primarily in the U.S., India and Taiwan.

According to Veriti’s blog post, the adversary behind Androxgh0st had their C2 server exposed, which could allow for a counterstrike by revealing the impacted targets. The researchers then went on to alert the victims.

Further research revealed that Androxgh0st operators are exploiting multiple CVEs, including CVE-2021-3129 and CVE-2024-1709 to deploy a web shell on vulnerable servers, granting remote control capabilities. Moreover, evidence suggests active web shells associated with CVE-2019-2725

Androxgh0st Malware Compromises Servers Worldwide, Building Botnets for Attacks
Image: Veriti

Androxgh0st Threat Actor Ramps Up Activity

Hackread.com has been tracking Androxgh0st operations since was first noticed in December 2022. The malware operator is known for deploying Adhublika ransomware and was previously observed communicating with an IP address associated with the Adhublika group.

Androxgh0st operators prefer exploiting Laravel applications to steal credentials for cloud-based services like AWS, SendGrid, and Twilio. They exploit vulnerabilities in Apache web servers and PHP frameworks, deploying webshells for persistence. 

However. their recent focus seems to be building botnets to exploit more systems. Recently, the FBI and CISA issued a joint Cybersecurity Advisory (CSA) advisory, warning about Androxgh0st constructing a botnet to carry out credential theft and establish backdoor access. 

Last year, Cado Security Ltd. revealed the details of a Python-based credential harvester and a hacking tool called Legion, linked to the AndroxGh0st malware family. Legion is designed to exploit email services for abuse.

The Way Forward

Veriti’s research goes onto show the importance of proactive exposure management and threat intelligence in cyber security. Organizations must regularly update their security measures, including patch management for known vulnerabilities, strong web shell deployment monitoring, and behavioural analysis tools to prevent breaches and protect against similar vulnerabilities.

  1. Russian Hackers Hit…

Source…

Medusa ransomware compromises Philippines’ universal healthcare agency

/in


The Philippine Health Insurance Corporation, which manages the country’s universal healthcare system, had its websites and portals disrupted by a Medusa ransomware attack last week, from which it is struggling to recover, reports The Record, a news site by cybersecurity firm Recorded Future.

Impacted systems, including Health Care Institution member portals and e-claims, have been immediately shut down following the discovery of the incident on Sept. 22, said PhilHealth President and CEO Emmanuel Ledesma.

“Affected systems shall be restored at the soonest possible time after the completion of the needed configuration and reinforcement of existing information security measures. We are working to restore these systems on Monday, September 25, 2023,” noted PhilHealth.

Such an attack was admitted by the Medusa ransomware operation a day after its discovery, with the group demanding $300,000 for the deletion of all stolen data and another $100,000 for the extension of the payment deadline. No information regarding the exfiltrated data was provided by Medusa.

Source…

3CX hack highlights risk of cascading software supply-chain compromises

/in


At the end of March, an international VoIP software company called 3CX with over 600,000 business customers suffered a serious software supply-chain compromise that resulted in both its Windows and macOS applications being poisoned with malicious code. New evidence suggests the attackers, believed to be North Korean state-sponsored hackers, gained access to the company’s network and systems as a result of a different software supply-chain attack involving a third-party application for futures trading.

“The identified software supply chain compromise is the first we are aware of which has led to a cascading software supply chain compromise,” incident responders from cybersecurity firm Mandiant, who was contracted to investigate the incident, said in a report Thursday. “It shows the potential reach of this type of compromise, particularly when a threat actor can chain intrusions as demonstrated in this investigation.”

The North Korean connection to the 3CX attack

The 3CX hack involved attackers compromising the company’s internal software build servers for Windows and macOS because of lateral movement activity through the company’s network. As a result, they were able to inject malicious libraries into versions of the 3CX Desktop App for Windows and macOS and have them be signed with the developer’s certificate during the build process. The trojanized versions were then delivered as part of the update process.

Windows versions 18.12.407 and 18.12.416 that were shipped in Update 7 were impacted, as well as macOS versions 18.11.1213 shipped with Update 6, and 18.12.402, 18.12.407 and 18.12.416 included in Update 7.

The trojanized Windows version deployed an intermediate malware downloader that Mandiant named SUDDENICON that reaches out to a GitHub repository to obtain command-and-control (C2) addresses hidden inside icon files. The downloader then contacts the C2 server and deploys an information stealer dubbed ICONICSTEALER that collects application configuration data as well as browser history.

Researchers from Kaspersky Lab reported that in some cases the attackers deployed an additional backdoor program on some 3CX victims. This backdoor is known as…

Source…

NPM compromises. ICS advisories. Free ransomware decryptors. Update on cyber phases of Russia’s hybrid war. Disneyland hack.

/in


Dateline

Ukraine at D+134: Preparing for an end to Russia’s operational pause. (The CyberWire) Mr. Putin says no one should count on Ukrainian battlefield victory, because Russia’s hardly gotten started.

Russia-Ukraine war: List of key events, day 135 (Al Jazeera) As the Russia-Ukraine war enters its 135th day, we take a look at the main developments.

Ukraine Says Western Weapons Begin to Help as It Raises Flag on Snake Island (Wall Street Journal) President Volodymyr Zelensky said that Western heavy weapons are starting to have an effect on the battlefield but urged speedier deliveries, particularly of antiaircraft systems, as Russia continued lobbing missiles into Ukrainian cities.

Zelensky says Ukraine will not give up territory for peace with Russia: ‘This is our land’ | CNN Politics (CNN) Ukrainian President Volodymyr Zelensky told CNN’s Wolf Blitzer on Thursday that Ukraine is unwilling to cede any of its land to Russia, standing firm that a concession of Ukrainian territory won’t be part of any diplomatic negotiations to end the war.

Russia-Ukraine war: Putin warns Moscow has ‘barely started’ its campaign (The Telegraph) Vladimir Putin has issued a defiant warning to the west claiming that Moscow has barely started its military campaign in Ukraine

Ukraine’s Implausible Theories of Victory (Foreign Affairs) The fantasy of Russian defeat and the case for diplomacy.

G-20 diplomats fail on unity over Ukraine, war’s impact (AP NEWS) Deeply divided top diplomats from the world’s richest and largest developing nations failed to find common ground Friday over Russia’s war in Ukraine and how to deal with its global impacts, leaving prospects for future cooperation in the forum uncertain.

Germany refuses to ‘plunder its own military’ for the sake of Ukraine (The Telegraph) Pressure on Olaf Scholz to provide armoured vehicles, as German MPs prepare to set an example by limiting their own use of hot water

Army leaders convene with allies to review Ukraine war lessons (Stars and Stripes) The implications of drones and long-range artillery were among the Ukraine war topics discussed by U.S. Army leaders and other allied commanders Thursday, as they assessed the path forward for an…

Source…